Hacker serving 5-year sentence invents ATM add-on to prevent theft

Device rotates ATM cards, prevents skimmers from stealing data.

A criminal serving a five-year sentence "for supplying gadgets to an organized crime gang used to conceal ATM skimmers" has invented a device that prevents ATMs from being susceptible to such thefts, Reuters reported today.

Valentin Boanta, who is six months into his sentence in a Romanian prison, developed what he calls the SRS (Secure Revolving System) which changes the way ATM machines read bank cards to prevent the operation of skimming devices that criminals hide inside ATMs.

Boanta's arrest in 2009 spurred him to develop the anti-theft device to make amends. "When I got caught I became happy. This liberation opened the way to working for the good side," Boanta told Reuters. "Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction. So that the other part, in which I started to develop security solutions, started to emerge."

Boanta began working on SRS during his trial. SRS, Boanta says, can be installed into any ATM. It rotates the customer's bank card to prevent the operation of skimming devices as they are currently designed.

SRS development was funded by a company called MB Telecom and the product is being shopped around by Gnosis Kernel, which says:

The main characteristic of the SRS device is highlighted by the insertion of the credit card on its width (not on its length like in present cases), with the magnetic tape facing down. Considering this innovation, the magnetic tape cannot be copied under any circumstance by skimming devices, devices which need to read the magnetic tape on its length in a sequential manner. SRS assumes the credit card and its mechanical and electronic devices rotate it, inserting it into the ATM (or any other device that uses plastic credit cards). After the transaction is completed the released credit card is again assumed by the SRS and with the same rotary motion, but in an opposite direction, it is returned back to the user in the same position as it was initially inserted (on its width and with the magnetic tape facing down). Using this manner of inserting the credit card, on its side, the translation motion of reading the tape is no longer possible, making it useless to install skimming devices on ATMs.

Seems to me that since this would work as an add-on to an already existing ATM, a skimmer could simply replace that rotation device completely with one of his/her own making and integrate a scanner into that.

Essentially because it's bolted on to the exterior, it already looks "out of place" and thus replacing it with something that looks at least somewhat identical, wouldn't raise that much in suspicion. It doesn't seem to be hard at all to completely cover up or even fully replace things like Num-Pads or the card readers. If all a person has to do is create the same kind of rotation device but integrate a skimmer into it, they'd be all set.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

if your card is in such bad shape that it won't read reliably, this device won't make any difference. all this does is sit on top if the existing card slot and physically rotate your card then feed it to the ATM's stock slot.

unfortunately it does nothing to prevent hardware/software-based skimmers installed INSIDE the machines by service employees, like what happened at those self-serve grocery checkouts not that long ago.

if your card is in such bad shape that it won't read reliably, this device won't make any difference. all this does is sit on top if the existing card slot and physically rotate your card then feed it to the ATM's stock slot.

unfortunately it does nothing to prevent hardware/software-based skimmers installed INSIDE the machines by service employees, like what happened at those self-serve grocery checkouts not that long ago.

In those cases, at least there's only a handful of people which need to be investigated.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

So how do you tell the difference between this thing and a skimmer that someone bolts on the front end of an ATM which replicates the rotation function?

Good for him! Doing good deeds makes you feel good (and the society benefits). However, from a pure engineering standpoint, this seems to add a lot more complexity (mechanical system) for a minor gain. I believe chip based cards are not succeptible to this type of skimming and it would be a lot easier to deploy such a system.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

So how do you tell the difference between this thing and a skimmer that someone bolts on the front end of an ATM which replicates the rotation function?

good point. and i'm pretty sure that the card-reader section of most ATMs is probably a modular piece that can easily be replaced. have something flush-mounted like existing stuff, and have it draw in the card width-wise, stripe first, and do the rotation inside the machine. you'd have to open the machine to install this anyway, if for no other reason than to give it power.

Seems to me that since this would work as an add-on to an already existing ATM, a skimmer could simply replace that rotation device completely with one of his/her own making and integrate a scanner into that.

Essentially because it's bolted on to the exterior, it already looks "out of place" and thus replacing it with something that looks at least somewhat identical, wouldn't raise that much in suspicion. It doesn't seem to be hard at all to completely cover up or even fully replace things like Num-Pads or the card readers. If all a person has to do is create the same kind of rotation device but integrate a skimmer into it, they'd be all set.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

Ah, I didn't quite get that part. I thought it replaced the existing card reader.

That's actually kind of funny, then, since to block card skimmers, he's actually installing a card-skimming like device. I can totally see someone cloning his card twister and building a skimmer right into it... pretty much eliminating the benefit.

For this to be effective, it really needs to be internal to the ATM, not an external, bolt-on piece.

Do you use your PIN number, and your ATM machine card to remove your cash money from the ATM machine reading its LCD display before it depreciates in value? BTW, when did banks stop giving out free gifts?

How about simply removing magnetic stripes and only using chip based cards?

The system suggested, in the article, certainly has merits but as an add-on creates its on risks.

Another solution is to ensure that the whole front panel of the ATM is a single piece of plastic, so it would make it harder to add a fake reader?

I honestly don't know why the industry hasn't gone to smartcards by now. The readers are actually simpler, and the cards won't wear out so fast. My guess is that the inventers of the smartcard charged prohibitive enough license fees that the industry simply took a pass. (IBM licensed the magstripe for free, which is why it's now everywhere.)

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

Or Diebold or Siemens can get off the couch and try innovating in response to a known issue. Tom's simpler, cheaper and more obvious idea makes more sense. Designing an ATM front that's one piece would seem obvious as well. Now, lets hear why these things "can't be done."

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

So how do you tell the difference between this thing and a skimmer that someone bolts on the front end of an ATM which replicates the rotation function?

He's still on the dark side, he just found an elaborate way to communicate a new skimming method to his minions to develop.

Couldn't a skimmer use an array of sensors to detect the pattern even when the card is slid in sideways?

This.

This will be all that changes.

The only possible mitigation is that the machine mechanically moves 90 degrees. If it moves to flush, it appears there is a part of the strip that might not be able to be read, but even if that was missing, it could be recovered with the checksum on the magnetic stripe. (By putting numbers against it until the checksum works out, or reversing the checksum algorithm)

So from reading the article and watching the video it looks like this new add-on would be put in front of the current reader and all this does is rotate then insert. So it now would work like this

Card reader - Add on - Customer

So what would stop someone from simply removing this putting a skimmer behind it and then putting this back on.

Card reader - Skimmer - Add on - Customer

It would seem that this would actually make skimming harder to detect as a consumer since you know have this add on that looks out of place that hides what is actually reading the card.

Having said that I really hope that we move away from mag strips soon. For some reason I can not find a spot in my wallet that doesn't cause the card to either warp or crack right where the strip is. And that is going through several wallets so it is not just one brand.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

So how do you tell the difference between this thing and a skimmer that someone bolts on the front end of an ATM which replicates the rotation function?

good point. and i'm pretty sure that the card-reader section of most ATMs is probably a modular piece that can easily be replaced. have something flush-mounted like existing stuff, and have it draw in the card width-wise, stripe first, and do the rotation inside the machine. you'd have to open the machine to install this anyway, if for no other reason than to give it power.

edit: spellink ist hard

So, how do you propose the criminals get this device off of the ATM machine? Do you think the ATM vendor will install this device using double-sided sticky tape and AA batteries?

But it will cost more so the ATM owners (banks) will never install it. The cost of ATM fraud is born by the account holders, not the machine owners, so there is very little incentive for the ATM owners to act.

Or the machine can just swipe the read head across the mag stripe, holding the card in place. That's probably simpler and uses less space.

I like the idea that a criminal is actually working on ways to counter his own crime. Good for him, and I hope he actually can stay straight once he's out. That's what the Justice system is supposed to do.

The idea here is that this gadget can be bolted onto existing ATMs.

So how do you tell the difference between this thing and a skimmer that someone bolts on the front end of an ATM which replicates the rotation function?

good point. and i'm pretty sure that the card-reader section of most ATMs is probably a modular piece that can easily be replaced. have something flush-mounted like existing stuff, and have it draw in the card width-wise, stripe first, and do the rotation inside the machine. you'd have to open the machine to install this anyway, if for no other reason than to give it power.

edit: spellink ist hard

So, how do you propose the criminals get this device off of the ATM machine? You think they will be using double-sided sticky tape?

they don't have to - they just have to make one that looks/works like this but is actually a skimmer, and add it to a machine that doesn't have one of the rotating things yet.

or just violently remove it with a hammer or crowbar, then install one of their existing skimmers to cover up the damage.

also - did anyone else notice that the card used in the demo animation actually DOES have a chip? oh, the irony.

So, how do you propose the criminals get this device off of the ATM machine? You think they will be using double-sided sticky tape?

they don't have to - they just have to make one that looks/works like this but is actually a skimmer, and add it to a machine that doesn't have one of the rotating things yet.

I find a hard time believing anyone would go through that much trouble when you could just camoflage a normal skimmer. That way when the tech comes out to fill it with cash it won't look so damn obvious.

Quote:

or just violently remove it with a hammer or crowbar, then install one of their existing skimmers to cover up the damage.

Possible, but this sure doesn't look like the "low hanging fruit" approach. Criminals are like everyone else, they value efficiency. The least amount of effort they have to spend making a buck and getting away with it the better. If they really wanted to put that much effort into making money, they'd have gotten into the banking industry themselves and made a boatload of money skimmi- er, charging fees for value added services.

For some reason I can not find a spot in my wallet that doesn't cause the card to either warp or crack right where the strip is. And that is going through several wallets so it is not just one brand.

As a mitigation strategy, put your wallet in a front pocket. It also makes your wallet harder to be picked.

this also helps eliminate back problems caused by sitting on your wallet, which cocks your hips and throws a curve into your spine. hell of a lot more comfy, too.

Did not know about the back problems. I honestly do not find it uncomfortable to have my wallet in my back pocket unless I'm driving for 2+ hours at a time, and that includes sitting all day at work. Maybe it has something to do with having kept my wallet in my back pocket since I got a wallet when I was ~14 or so.

I'll have to switch it to a front pocket I normally do that when I go to NY cause of the pick pocketing but normally I have keys on one side and phone on the other side in my front pockets.

Maybe he's telling the truth, though usually criminals are sad about only one thing, and that is that they got caught. Once he gets out, only his actions will tell society what his true intentions are, and I hope they confirm he was telling the truth.

Maybe he's telling the truth, though usually criminals are sad about only one thing, and that is that they got caught. Once he gets out, only his actions will tell society what his true intentions are, and I hope they confirm he was telling the truth.

Not knowing anything else about this guy (and not caring to look it up) I could easily see a scenario where he was forced into the crime ring. And then once they found his talents not letting him go if he wanted to leave and not do it any more.